- July 2022
- Engineering Memo · External Release
Many organisations send transactional email (order confirmations, password resets, account notifications) and marketing email (newsletters, promotional campaigns, product announcements) from the same domain — often from the same From: address structure. This shared domain configuration creates reputation entanglement: the signals generated by marketing email (higher complaint rates, variable engagement) affect the domain reputation that transactional email delivery depends on, and vice versa.
This note explains why domain separation between transactional and marketing email is operationally important, what the separation looks like in practice, and the configuration steps required to implement it without disrupting either traffic type during the transition.
The Reputation Entanglement Problem
Gmail attributes domain reputation to the DKIM signing domain. When transactional and marketing email both sign with the same domain (brand.com), all messages — regardless of type — contribute to a single domain reputation signal at Gmail. A marketing campaign that generates 0.08% complaint rate affects the domain reputation that determines whether password reset emails reach the inbox. A transactional email that triggers an unusual engagement pattern (many opens in quick succession from a single IP — characteristic of mobile device activation OTPs) can affect the reputation of the marketing email pool.
The entanglement is asymmetric: marketing email typically generates more reputation risk than transactional email (higher complaint rates, more variable engagement), which means the shared domain's reputation is pulled toward the marketing tier's quality level rather than the transactional tier's superior quality level. Transactional email effectively subsidises the marketing email's reputation risk by sharing a domain with it — without receiving any reputation benefit in return, since the transactional email's excellent engagement signals are averaged with the marketing signals rather than building independent transactional reputation.
Figure 1 — Shared vs Separated Domain: Reputation Signal Independence
The Domain Separation Architecture
Domain separation uses subdomains of the root brand domain for each traffic type. The structure that most programmes adopt: mail.brand.com or notifications.brand.com for transactional email; news.brand.com or marketing.brand.com for promotional campaigns. Both subdomains carry the brand name (recipients see a familiar domain), but they build independent subdomain reputation at ISPs that track subdomain reputation separately from the root domain.
The DKIM signing configuration changes to match: the transactional VMTA in PowerMTA signs with a DKIM key for mail.brand.com; the promotional VMTA signs with a DKIM key for news.brand.com. DMARC alignment is maintained because both subdomains are subdomains of brand.com — DMARC allows subdomain alignment when the From: header uses a subdomain of the authenticated domain.
At Gmail, Postmaster Tools tracks domain reputation at the property level — each registered domain or subdomain can be registered as a separate property. After implementing domain separation, register both mail.brand.com and news.brand.com as separate Postmaster Tools properties. This provides per-subdomain spam rate and domain reputation data, making the reputation independence of the two traffic types visible and measurable.
Implementation Without Disruption
The transition from shared to separated domains must be managed carefully to avoid authentication failures or reputation disruptions. The recommended implementation sequence:
Week 1 — DNS preparation: Create DNS records for both subdomains: DKIM TXT records for the new signing selectors, SPF records for each subdomain's authorised sending IPs, and DMARC records for each subdomain (starting at p=none to allow monitoring without enforcement). Verify all DNS records propagate correctly using dig commands before any configuration changes in PowerMTA.
Week 2 — PowerMTA configuration: Add the new DKIM signing configurations for mail.brand.com and news.brand.com to PowerMTA. Update each VMTA to use the correct domain's signing key. Test with a mail-tester.com check from each VMTA to verify DKIM signing and DMARC alignment before routing any production traffic through the new configuration.
Week 3 — Gradual traffic migration: Route 10% of transactional traffic through the new mail.brand.com signing configuration while monitoring delivery rates and Postmaster Tools data for the new subdomain. Confirm the new subdomain is receiving data in Postmaster Tools (indicates Gmail is seeing the messages and attributing them to the new subdomain). If no issues after 48 hours, increase to 50%, then to 100% over the following week.
Week 4 — Complete migration and monitoring: Route all transactional traffic through mail.brand.com and all promotional traffic through news.brand.com. Both subdomains are now registered in Postmaster Tools. Monitor daily to confirm reputation is building independently on each subdomain. After 4 weeks of stable separated operation, upgrade both DMARC records from p=none to p=quarantine.
Table 1 — Domain separation implementation checklist
| Step | Component | Verification |
|---|---|---|
| 1 | DKIM TXT records for both subdomains | dig TXT selector._domainkey.mail.brand.com |
| 2 | SPF records per subdomain | mxtoolbox SPF check for each subdomain |
| 3 | DMARC records at p=none | dig TXT _dmarc.mail.brand.com |
| 4 | PowerMTA DKIM signing config updated | mail-tester.com DKIM pass for each VMTA |
| 5 | Postmaster Tools properties registered | Data visible in PT for each subdomain after 48h |
| 6 | DMARC upgraded to p=quarantine | Aggregate reports show all sources passing |
Domain separation between transactional and marketing email is one of the highest-value, lowest-disruption configuration changes available to programmes that currently use a shared domain. The implementation takes 4 weeks, requires no application changes (only DNS and PowerMTA configuration), and produces permanent reputation independence between the two traffic types. The transactional tier can build High reputation based solely on its own excellent signal quality, without the marketing tier's variable signals creating a ceiling. The marketing tier operates on its own reputation foundation, and reputation events in either tier no longer contaminate the other. Implement it deliberately, verify at each step, and the reputation independence it provides will compound over every subsequent campaign and transactional event.
The Long-Term Reputation Dividend
The reputation dividend from domain separation compounds over time. In the first month after separation, both subdomains are building their independent reputation histories -- the transactional subdomain from its near-zero complaint sends, the marketing subdomain from its campaign history. Both may show similar reputation tiers initially, as the shared history is what Gmail has seen before the separation.
By month 3, the divergence begins. The transactional subdomain -- receiving only OTPs, order confirmations, and account notifications, with near-zero complaint rates and high positive engagement (users actively look for these messages) -- is trending toward High reputation. The marketing subdomain is at the reputation level that its campaign quality deserves: High if the programme maintains excellent list quality and low complaint rates, Medium if complaint rates are in the 0.05-0.10% range.
By month 12, the transactional subdomain has established High reputation based entirely on transactional signal quality. Password resets and authentication codes reach the inbox reliably regardless of whatever the marketing programme is doing with its own reputation. The marketing subdomain's reputation reflects the marketing programme's quality -- which creates a clear accountability structure: marketing team decisions about list quality, campaign frequency, and content directly affect the marketing subdomain's reputation and delivery performance, without affecting transactional reliability.
This accountability structure is valuable beyond the technical reputation independence. When the marketing team understands that their content and list quality decisions affect their own subdomain's reputation -- not the transactional subdomain that the product team depends on -- the incentive for quality management is clearer and more immediate. Poor marketing campaign decisions affect marketing campaign delivery; good marketing practices produce improved marketing inbox placement. The separation aligns technical incentives with organisational accountability in a way that shared domain sending cannot.
Recipient Experience: Will They Notice?
A common concern with domain separation is whether recipients will notice the change and whether it will affect their perception of the sending brand. The practical answer: very few recipients notice the sending domain at all, and those who do see a familiar brand name in the subdomain (mail.brand.com or news.brand.com) rather than an unfamiliar third-party ESP domain. The subdomain structure is recognisably from brand.com; the From: name that recipients see in their email client (which typically shows the display name rather than the technical email address) is unchanged.
The From: display name ("Brand Name" rather than "notifications@mail.brand.com") is what most recipients see in their email client without explicitly examining the technical From: address. As long as the display name remains consistent through the domain separation, the recipient experience is unchanged. Recipients who explicitly check the sending address -- typically technical users or security-conscious recipients -- will see the subdomain rather than the root domain, which is a minor change that rarely generates support inquiries when the subdomain is clearly branded.
For programmes concerned about recipient recognition changes, a brief transition period where both the old and new signing configurations are active -- and both appear in DMARC aggregate reports -- allows confirmation that neither configuration is generating unusual signals before the old configuration is fully retired. The transition monitoring period (2-4 weeks) provides operational confidence that the separation is working correctly before the old, shared configuration is removed.
Applying Separation to Additional Traffic Types
The transactional/marketing domain separation framework extends naturally to additional traffic types as the programme grows. A programme that later adds cold email outreach should use a completely separate root domain (not a brand.com subdomain) for cold email, as described in the traffic separation note. A programme that adds a new product line with its own distinct subscriber base may benefit from a separate marketing subdomain for that product line -- allowing its reputation to develop independently from the core brand's marketing subdomain.
The guiding principle for deciding when to add a new domain or subdomain: would this traffic type's signals, if co-mingled with another traffic type's signals, create reputation risk for the other? Transactional and marketing email co-mingled creates risk for transactional delivery. Cold email co-mingled with marketing email creates risk for marketing reputation. A new product line's marketing email co-mingled with the core brand's marketing email may not create material risk if both have similar quality profiles -- but would warrant separation if one has significantly lower quality than the other.
Domain separation is not a one-time configuration but an architecture discipline that evolves with the programme. Each new traffic type, new product line, or new acquisition should be evaluated against the separation framework before the first send. The evaluation takes 15 minutes; the implementation takes days to weeks; the reputation independence it provides is permanent. That ratio -- 15 minutes of evaluation for years of reputation protection -- makes domain separation evaluation one of the highest-ROI operational disciplines available in email infrastructure management.
The choice to keep transactional and marketing email on the same domain is not a neutral choice -- it is a choice to accept reputation entanglement that limits transactional delivery reliability and obscures marketing programme accountability. Domain separation eliminates both limitations at the cost of a 4-week configuration project. The time to implement it is before the next major marketing campaign generates the complaint rate that would have been contained to the marketing subdomain but instead affects the transactional domain that the product team depends on. Separate them now, while the implementation is a planned project rather than an incident response.
The Business Case for Domain Separation
The business case for transactional/marketing domain separation rests on the commercial cost of transactional delivery failures. A password reset that arrives in spam instead of the inbox produces: a frustrated user who may not find the email, a support ticket when they cannot access their account, potential account abandonment if the friction is too high, and in security-sensitive contexts, a degraded authentication security posture if users resort to weaker authentication methods to avoid the OTP delivery problem.
The commercial cost per transactional delivery failure varies by programme type: e-commerce (failed checkout confirmation may lead to order abandonment inquiry), SaaS (failed password reset may generate churn), financial services (failed transaction confirmation may generate compliance inquiries). In each case, the cost per failure is multiples of the cost of the domain separation implementation. A programme with 10,000 transactional sends per day that experiences 2% spam folder placement (200 failures per day) at an average cost of €10 per support incident generates €2,000 per day in avoidable support costs. The 4-week domain separation implementation at approximately €5,000 of engineering time pays back in less than 3 days if it eliminates the spam folder placement problem entirely.
The marketing case is subtler but also real. Marketing email that builds its own independent domain reputation -- not constrained by transactional signal averaging -- reaches its natural reputation ceiling faster than co-mingled email. A marketing programme that would achieve High domain reputation in 12 months on a separated subdomain may plateau at Medium on a shared domain because transactional signal averaging dilutes the marketing signals' contribution to the shared domain's reputation trend. The inbox placement improvement from reaching High reputation on the marketing subdomain produces the same compounding revenue improvement that the ROI framework note documents.
Domain separation is a small investment that removes a structural limitation from both transactional and marketing email delivery simultaneously. It requires no application changes, no list quality work, no additional IP provisioning -- only DNS configuration and PowerMTA configuration changes. It is among the purest infrastructure improvements available: configuration investment that produces permanent reputation architecture improvement. Make it part of every new programme's initial configuration and every existing programme's next infrastructure review. The operational benefits are immediate; the reputation independence compounds for the lifetime of the programme.
Monitoring Separated Domains: The Daily Routine
Once domain separation is implemented, the daily monitoring routine expands to cover both subdomains independently. The Postmaster Tools daily check reviews both mail.brand.com and news.brand.com separately: what is each subdomain's spam rate today? Is either subdomain showing a reputation tier change? Are there any authentication failures appearing in either subdomain's DMARC aggregate reports?
The separated monitoring provides the diagnostic clarity that shared-domain monitoring cannot: a spam rate increase that appears on news.brand.com but not on mail.brand.com immediately identifies the marketing programme as the source without requiring investigation to rule out transactional sends. A reputation tier decline on mail.brand.com that is not mirrored on news.brand.com points to a transactional-specific issue (authentication configuration, IP pool problem, or specific system notification that is generating unexpected signals) rather than a marketing quality problem.
The monitoring also confirms that the domain separation is working as intended. If a marketing campaign generates elevated complaint rates, the spam rate should increase on news.brand.com but remain stable on mail.brand.com. If this pattern holds, the separation is providing the intended reputation isolation. If both subdomains move together in response to marketing campaign events, there may be a routing error (marketing traffic leaking into the transactional VMTA) or a domain-level reputation linkage at Gmail that requires investigation.
The FBL complaint data, similarly, should be attributed to the correct subdomain. FBL complaints from marketing campaigns should appear under news.brand.com's domain attribution; FBL complaints from transactional messages (rare, but possible) should appear under mail.brand.com. If FBL complaint data is being mis-attributed -- marketing complaints appearing under the transactional subdomain -- it indicates an FBL registration or routing issue that needs correction to maintain accurate per-subdomain monitoring.
Domain separation between transactional and marketing email is one of those infrastructure decisions that, once made and implemented correctly, becomes invisible -- because everything works as it should. Transactional email delivers reliably without being affected by marketing campaign quality variations. Marketing email reputation reflects marketing programme quality directly and accurately. Both traffic types are monitored independently with clear accountability. The operational clarity and reliability this produces is worth every week of implementation effort and every minute of ongoing monitoring discipline. Implement it, monitor it, and let the separated reputation signals tell each traffic type's independent story.
From: Header Alignment After Separation
One practical detail that domain separation requires addressing: the From: header display address must align with the new subdomain signing. If transactional emails previously used noreply@brand.com as the From: address and the new transactional signing domain is mail.brand.com, the From: address should change to noreply@mail.brand.com for DMARC strict alignment, or remain at noreply@brand.com with DMARC relaxed alignment (since mail.brand.com is a subdomain of brand.com, relaxed alignment passes).
DMARC relaxed alignment is appropriate for most domain separation implementations: the From: address can remain at the root brand.com while signing with a subdomain, because relaxed alignment allows the subdomain to align with the parent domain. This means applications do not need to change their From: header configuration -- only the DKIM signing domain changes in PowerMTA, while the From: address visible to recipients remains unchanged. For programmes where changing the From: address would require application code changes and testing cycles, relaxed alignment is the implementation path that achieves reputation separation without application changes.
The DMARC record for the subdomain should specify the alignment mode that matches the implementation. If using relaxed alignment (From: at root domain, signing at subdomain): the subdomain's DMARC record should specify adkim=r (relaxed DKIM alignment). If changing the From: address to the subdomain as well: adkim=s (strict alignment) can be used, which provides stronger phishing protection at the cost of requiring the From: address to exactly match the signing domain.
The technical details of DMARC alignment mode selection are worth getting right during the implementation, because the wrong alignment mode can produce DMARC failures for legitimate messages that look indistinguishable from authentication failures caused by misconfiguration. Verify the alignment configuration with DMARC aggregate report review during the 4-week transition period to confirm that all legitimate messages are passing DMARC alignment before upgrading to p=quarantine enforcement. The transition period monitoring is the safety net that makes the DMARC policy upgrade from p=none to p=quarantine a confident operational step rather than a potentially disruptive change.
Domain separation is infrastructure configuration that works continuously in the background, providing reputation independence that compounds over the lifetime of the programme. Configure it correctly, verify it with DMARC aggregate reports, and monitor both subdomains independently. The operational discipline required is modest; the reputation protection and marketing accountability it provides are permanent. Every programme that sends both transactional and marketing email benefits from this separation. The question is not whether to implement it, but when -- and the answer is always: before the next marketing campaign creates the reputation event that should have been contained to the marketing subdomain.
Separate the domains. The rest becomes clearer.
Four weeks of implementation. Years of independent reputation. The arithmetic is clear.
Infrastructure Assessment
Our managed infrastructure onboarding includes domain separation configuration for transactional and marketing traffic as standard -- separate DKIM signing, separate Postmaster Tools properties, and per-subdomain reputation monitoring from day one. Request assessment →